Cyber True Crime: The Affiliate Part 2
Welcome back to the cyber true crime blog series The Affiliate. Part 1 provided an introduction to ransomware, how RaaS works and where the ransomware gang we’ll be focusing on, NetWalker, fits into the narrative. In this second installment, we unravel how one becomes a member of NetWalker and the sort of malicious activities that the ransomware gang participated in.
If you missed Part 1 of the series, you can read it here.
Based on data provided by the FBI, NetWalker has targeted more than 100 organizations, including emergency services, law enforcement, school districts and educational institutions. They have reportedly made over tens of millions of dollars in ransomware payments.
Behind the Scenes
So how do they do it? According to an unsealed FBI document, organizations learn that they have been the target of a NetWalker ransomware attack and that their data has been encrypted by a ransom note that appears on one or more computers on their network. The note has been partially released by FBI investigators and reads:
Hi! Your files are encrypted by NetWalker … if for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the inability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery … Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business.
As we can see in the portion of the ransom note we have access to, NetWalker uses social engineering to induce fear and panic in the recipients of their calculated attacks. They use language that would promote feelings of fear, defeat and hopelessness, and brag about the alleged strength of their ransomware to coerce organizations into paying the ransom.
Though not included in the released portion of the ransom note, targeted organizations also receive “a unique code for the URL to a website hosted on the dark web.” FBI investigators found that the URL leads to the NetWalker Tor Panel. A Tor Panel or Browser is used to protect the identity of the people accessing it. They are particularly useful to cybercriminals as internet service providers or people trying to track your internet activity won’t be able to. This is because they will only see the connection as coming from the Tor Panel and not the actual Internet (IP) address – making the user’s identity invisible to authorities and service providers.
Through their investigation, the FBI found that once the unique code is entered, the targeted organization will see the ransom amount demanded in Bitcoin and instructions for paying it. Although not mentioned in the brief snippet we have access to, targets of NetWalker ransomware who follow the gang’s instructions are prompted to communicate with an affiliate via the NetWalker Tor Panel chat function, most likely to complete the transaction.
If the targeted organization pays the ransom in Bitcoin, the ransom is split between the developers and affiliates following a preestablished agreement between the two. Since this is all done via the NetWalker Tor Panel, the anonymity of the members in the organization is maintained and makes tracing the transaction back to those who received payment difficult.
Identifying NetWalker members is made even more challenging since they are not identified by name, but by a “User ID” number, according to the FBI investigation. As a result of their investigation, and as we will explain more fully in future blogs, Vachon was charged with participating as an affiliate with the NetWalker Ransomware gang is know as User ID 128 on the NetWalker Tor Panel.
A Career in Cyber Crime
But how does one become involved with a criminal organization like NetWalker? Well, much like most public and openly accepted jobs, there is an application process. As part of their investigation, FBI officials found a job advertisement posted on a criminal forum for NetWalker which indicated that candidates should “identify their area of technological expertise, experience, and other ransomware variants with which they had worked.”
Now, it’s unclear just how much experience and expertise are required to land a job like this; but, since affiliates don’t need a ton of technological know-how to successfully target and orchestrate a ransomware attack, it’s safe to say that most would have been at least interviewed - if this is the process they followed - the FBI didn’t indicate in any publicly accessible documents if the exact hiring process is known.
Now that we have a general idea of how NetWalker works, in our next blog we’ll go over how the Affiliate went about researching and attempting to hide his alleged criminal activity from authorities through international servers.
The More You Know
Understanding what motivates criminals, who they are and how they work is a vital part of building a more resilient organization. It helps make cybersecurity more real for everyday people and helps individuals and organizations develop plans to better protect themselves from cyber threats. Please consider sharing this series to help more people understand 21st-century crime and how to protect themselves.